Cognito

AWSim emulates two Cognito services: User Pools (cognito-idp) and Identity Pools (cognito-identity).

User Pools (cognito-idp)

Protocol: AwsJson1_1 (X-Amz-Target: AWSCognitoIdentityProviderService.*) Signing name: cognito-idpTarget Prefix: AWSCognitoIdentityProviderServicePersistent: Yes

Quick Start (User Pools)

Create a pool, add a client, create a user, and sign in:

bash

# Create a user pool
POOL_ID=$(curl -s http://localhost:4566 \
  -H "Content-Type: application/x-amz-json-1.1" \
  -H "X-Amz-Target: AWSCognitoIdentityProviderService.CreateUserPool" \
  -H "Authorization: AWS4-HMAC-SHA256 Credential=test/20260421/us-east-1/cognito-idp/aws4_request, SignedHeaders=host, Signature=fake" \
  -d '{"PoolName":"my-pool"}' \
  | jq -r '.UserPool.Id')

# Create a client
CLIENT_ID=$(curl -s http://localhost:4566 \
  -H "Content-Type: application/x-amz-json-1.1" \
  -H "X-Amz-Target: AWSCognitoIdentityProviderService.CreateUserPoolClient" \
  -H "Authorization: AWS4-HMAC-SHA256 Credential=test/20260421/us-east-1/cognito-idp/aws4_request, SignedHeaders=host, Signature=fake" \
  -d "{\"UserPoolId\":\"$POOL_ID\",\"ClientName\":\"my-app\",\"ExplicitAuthFlows\":[\"ALLOW_USER_PASSWORD_AUTH\",\"ALLOW_REFRESH_TOKEN_AUTH\"]}" \
  | jq -r '.UserPoolClient.ClientId')

# Create a user and set password
curl -s http://localhost:4566 \
  -H "Content-Type: application/x-amz-json-1.1" \
  -H "X-Amz-Target: AWSCognitoIdentityProviderService.AdminCreateUser" \
  -H "Authorization: AWS4-HMAC-SHA256 Credential=test/20260421/us-east-1/cognito-idp/aws4_request, SignedHeaders=host, Signature=fake" \
  -d "{\"UserPoolId\":\"$POOL_ID\",\"Username\":\"[email protected]\",\"TemporaryPassword\":\"Temp@123!\"}"

curl -s http://localhost:4566 \
  -H "Content-Type: application/x-amz-json-1.1" \
  -H "X-Amz-Target: AWSCognitoIdentityProviderService.AdminSetUserPassword" \
  -H "Authorization: AWS4-HMAC-SHA256 Credential=test/20260421/us-east-1/cognito-idp/aws4_request, SignedHeaders=host, Signature=fake" \
  -d "{\"UserPoolId\":\"$POOL_ID\",\"Username\":\"[email protected]\",\"Password\":\"MyPassword123!\",\"Permanent\":true}"

# Sign in
curl -s http://localhost:4566 \
  -H "Content-Type: application/x-amz-json-1.1" \
  -H "X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth" \
  -H "Authorization: AWS4-HMAC-SHA256 Credential=test/20260421/us-east-1/cognito-idp/aws4_request, SignedHeaders=host, Signature=fake" \
  -d "{\"AuthFlow\":\"USER_PASSWORD_AUTH\",\"ClientId\":\"$CLIENT_ID\",\"AuthParameters\":{\"USERNAME\":\"[email protected]\",\"PASSWORD\":\"MyPassword123!\"}}"

User Pool Management

Operation	Description
`CreateUserPool`	Create a user pool with schema, password policy, MFA settings
`DeleteUserPool`	Delete a user pool
`DescribeUserPool`	Get user pool configuration
`ListUserPools`	List all user pools
`UpdateUserPool`	Update user pool configuration
`AddCustomAttributes`	Add custom attributes to the schema

User Pool Clients

Operation	Description
`CreateUserPoolClient`	Create an app client with explicit auth flows
`DescribeUserPoolClient`	Get client configuration and client secret
`UpdateUserPoolClient`	Update client configuration
`DeleteUserPoolClient`	Delete a client
`ListUserPoolClients`	List all clients

User Management

Operation	Description
`SignUp`	Self-registration with username and password
`ConfirmSignUp`	Confirm registration with code (use `123456` in AWSim)
`AdminConfirmSignUp`	Admin-confirm a user without a code
`AdminCreateUser`	Create a user as admin with temporary password
`AdminDeleteUser`	Delete a user
`AdminGetUser`	Get user details and attributes
`AdminSetUserPassword`	Set user password (use `Permanent: true` to skip force-change)
`AdminEnableUser`	Enable a disabled user
`AdminDisableUser`	Disable a user
`AdminResetUserPassword`	Force password reset on next login
`AdminUpdateUserAttributes`	Update user attributes as admin
`AdminDeleteUserAttributes`	Delete user attributes as admin
`AdminUserGlobalSignOut`	Sign out all user sessions
`ListUsers`	List users with optional filter expression
`GetUser`	Get current user's attributes (requires access token)
`UpdateUserAttributes`	Update current user's attributes
`DeleteUserAttributes`	Delete current user's attributes
`DeleteUser`	Delete the current user
`VerifyUserAttribute`	Verify an attribute (e.g. email)
`GetUserAttributeVerificationCode`	Send attribute verification code
`ResendConfirmationCode`	Resend confirmation code
`RevokeToken`	Revoke a refresh token

Authentication

Operation	Description
`InitiateAuth`	Start auth flow: `USER_PASSWORD_AUTH`, `REFRESH_TOKEN_AUTH`, `USER_SRP_AUTH`
`AdminInitiateAuth`	Admin-initiated auth flow (server-side)
`RespondToAuthChallenge`	Respond to a challenge: `NEW_PASSWORD_REQUIRED`, `SOFTWARE_TOKEN_MFA`
`AdminRespondToAuthChallenge`	Admin respond to challenge
`ForgotPassword`	Initiate forgot password flow (code is always `123456`)
`ConfirmForgotPassword`	Confirm new password with code
`ChangePassword`	Change password (requires access token)
`GlobalSignOut`	Sign out all sessions for current user

Groups

Operation	Description
`CreateGroup`	Create a group with optional IAM role
`GetGroup`	Get group details
`UpdateGroup`	Update group description or role
`DeleteGroup`	Delete group
`ListGroups`	List all groups
`AdminAddUserToGroup`	Add user to group
`AdminRemoveUserFromGroup`	Remove user from group
`AdminListGroupsForUser`	List groups for a user
`ListUsersInGroup`	List users in a group

MFA

Operation	Description
`SetUserPoolMfaConfig`	Configure MFA for the pool (TOTP, SMS, optional/required)
`GetUserPoolMfaConfig`	Get MFA configuration
`AssociateSoftwareToken`	Begin TOTP setup — returns a secret key
`VerifySoftwareToken`	Verify TOTP setup with a valid code
`SetUserMFAPreference`	Set user's preferred MFA method
`AdminSetUserMFAPreference`	Admin set user's MFA preference

Resource Servers and Identity Providers

Operation	Description
`CreateResourceServer`	Create an OAuth resource server with custom scopes
`DescribeResourceServer`	Get resource server
`UpdateResourceServer`	Update resource server
`DeleteResourceServer`	Delete resource server
`ListResourceServers`	List resource servers for a pool
`CreateIdentityProvider`	Register a federated identity provider (SAML, OIDC, social)
`DescribeIdentityProvider`	Get identity provider details
`UpdateIdentityProvider`	Update provider details
`DeleteIdentityProvider`	Remove an identity provider
`ListIdentityProviders`	List identity providers for a pool
`GetIdentityProviderByIdentifier`	Find provider by identifier

Operation	Description
`TagResource`	Add tags to a user pool by ARN
`UntagResource`	Remove tags from a user pool
`ListTagsForResource`	List tags for a user pool

Domains

Operation	Description
`CreateUserPoolDomain`	Create a hosted-UI domain for the pool
`DescribeUserPoolDomain`	Describe a user pool domain; returns empty if not found
`DeleteUserPoolDomain`	Delete the hosted-UI domain
`UpdateUserPoolDomain`	Update the domain custom certificate

Identity Pools (cognito-identity)

Protocol: AwsJson1_1 (X-Amz-Target: AWSCognitoIdentityService.*) Signing name: cognito-identityTarget Prefix: AWSCognitoIdentityServicePersistent: Yes

Identity Pools issue temporary AWS credentials via STS-style credential vending based on IAM role mappings.

Quick Start (Identity Pools)

bash

# Create an identity pool
POOL_ID=$(curl -s http://localhost:4566 \
  -H "Content-Type: application/x-amz-json-1.1" \
  -H "X-Amz-Target: AWSCognitoIdentityService.CreateIdentityPool" \
  -H "Authorization: AWS4-HMAC-SHA256 Credential=test/20260421/us-east-1/cognito-identity/aws4_request, SignedHeaders=host, Signature=fake" \
  -d '{"IdentityPoolName":"my-identity-pool","AllowUnauthenticatedIdentities":true}' \
  | jq -r '.IdentityPoolId')

# Get credentials for an identity
curl -s http://localhost:4566 \
  -H "Content-Type: application/x-amz-json-1.1" \
  -H "X-Amz-Target: AWSCognitoIdentityService.GetCredentialsForIdentity" \
  -H "Authorization: AWS4-HMAC-SHA256 Credential=test/20260421/us-east-1/cognito-identity/aws4_request, SignedHeaders=host, Signature=fake" \
  -d "{\"IdentityId\":\"us-east-1:some-identity-id\"}"

Operations

Operation	Description
`CreateIdentityPool`	Create an identity pool with authentication providers
`DeleteIdentityPool`	Delete an identity pool
`DescribeIdentityPool`	Get pool configuration and role mappings
`ListIdentityPools`	List all identity pools
`UpdateIdentityPool`	Update pool configuration (role mappings, providers)
`GetId`	Get or create an identity ID for a user
`GetCredentialsForIdentity`	Get temporary AWS credentials for an identity

OAuth / OIDC

Cognito User Pools expose full OAuth 2.0 / OIDC endpoints. See Cognito OAuth/OIDC for the hosted login page, token endpoint, JWKS, and NextAuth.js integration.

The hosted UI also exposes a logout endpoint at GET /cognito/{pool_id}/logout that mirrors AWS Cognito:

Query	Behaviour
`?client_id=X&logout_uri=Y`	Validates `Y` against the client's `LogoutURLs` and 302s there.
`?client_id=X&redirect_uri=Y&response_type=code`	Validates `Y` against the client's `CallbackURLs` and 302s back through `/oauth2/authorize`.
(neither)	`400 Bad Request` — same as real Cognito.

Admin Console UI

The pool list lives at /cognito. Clicking a pool navigates to /cognito/[poolId] — a full-route detail page with a left-nav covering eight sections:

Section	What it covers
Users	Server-side filter (Cognito `username ^=` prefix), `25 / 50 / 100 per page`, Prev/Next pagination via `PaginationToken`, inline detail (attributes editor + group memberships + auth events viewer), bulk Import CSV that loops `AdminCreateUser` with progress + error reporting.
Groups	Create / delete / inline member-list editor with `AdminAddUserToGroup` / `AdminRemoveUserFromGroup`.
App clients	Create + delete with Prev/Next pagination. Inline editor for `CallbackURLs`, `LogoutURLs`, `AllowedOAuthFlows`, `AllowedOAuthScopes`, `ExplicitAuthFlows`, plus the `AllowedOAuthFlowsUserPoolClient` toggle. Client secret is masked with reveal + copy.
Domain	Hosted-UI `Domain` from `DescribeUserPool` plus inline create / delete via `CreateUserPoolDomain` / `DeleteUserPoolDomain`.
Triggers	Editable map of every Cognito Lambda trigger (`PreSignUp`, `PostConfirmation`, `CustomMessage`, `DefineAuthChallenge`, `CreateAuthChallenge`, `VerifyAuthChallengeResponse`, `PreTokenGeneration`, `UserMigration`, `CustomEmailSender`, `CustomSMSSender`, …) → Lambda function ARN. Saves via `UpdateUserPool.LambdaConfig`.
Policies	Password policy editor (`MinimumLength`, `Require*`, `TemporaryPasswordValidityDays`), MFA mode (`OFF` / `OPTIONAL` / `ON`) + TOTP factor toggle, tag editor (`ListTagsForResource` / `TagResource` / `UntagResource`).
Federation	List / create / edit / delete identity providers (`OIDC`, `SAML`, `Google`, `Facebook`, `SignInWithApple`, `LoginWithAmazon`) with `ProviderDetails` + `AttributeMapping` key-value editors. Per-IdP suggested-keys datalist matches the AWS shape. Resource servers + custom OAuth scopes managed in the same tab.
Appearance	UI customization editor — pick scope (pool default or per-app-client), set logo URL + CSS, save via `SetUICustomization`. Stored for SDK round-trip parity even though awsim's hosted UI doesn't apply the CSS yet.

The active section is URL-synced as ?section=<id> so reloads + share-links land where you left.

SDK Example (User Pools)

typescript

import {
  CognitoIdentityProviderClient,
  CreateUserPoolCommand,
  CreateUserPoolClientCommand,
  AdminCreateUserCommand,
  AdminSetUserPasswordCommand,
  InitiateAuthCommand,
} from '@aws-sdk/client-cognito-identity-provider';

const cognito = new CognitoIdentityProviderClient({
  region: 'us-east-1',
  endpoint: 'http://localhost:4566',
  credentials: { accessKeyId: 'test', secretAccessKey: 'test' },
});

// Create user pool
const { UserPool } = await cognito.send(new CreateUserPoolCommand({
  PoolName: 'my-pool',
  Policies: {
    PasswordPolicy: {
      MinimumLength: 8,
      RequireUppercase: true,
      RequireLowercase: true,
      RequireNumbers: true,
    },
  },
}));
const userPoolId = UserPool!.Id!;

// Create client
const { UserPoolClient } = await cognito.send(new CreateUserPoolClientCommand({
  UserPoolId: userPoolId,
  ClientName: 'my-app',
  ExplicitAuthFlows: ['ALLOW_USER_PASSWORD_AUTH', 'ALLOW_REFRESH_TOKEN_AUTH'],
}));
const clientId = UserPoolClient!.ClientId!;

// Create user with permanent password
await cognito.send(new AdminCreateUserCommand({
  UserPoolId: userPoolId,
  Username: '[email protected]',
  TemporaryPassword: 'Temp@123!',
}));
await cognito.send(new AdminSetUserPasswordCommand({
  UserPoolId: userPoolId,
  Username: '[email protected]',
  Password: 'MyPassword123!',
  Permanent: true,
}));

// Sign in
const { AuthenticationResult } = await cognito.send(new InitiateAuthCommand({
  AuthFlow: 'USER_PASSWORD_AUTH',
  ClientId: clientId,
  AuthParameters: {
    USERNAME: '[email protected]',
    PASSWORD: 'MyPassword123!',
  },
}));

console.log('Access Token:', AuthenticationResult?.AccessToken);
console.log('Refresh Token:', AuthenticationResult?.RefreshToken);

Behavior Notes

Email verification and confirmation codes are always 123456 — no real email is sent.
SMS-based MFA is accepted but no SMS is delivered — use TOTP or skip verification in tests.
Tokens are real JWTs signed with a locally generated RSA key; they can be verified against the JWKS endpoint at http://localhost:4566/{userPoolId}/.well-known/jwks.json.
Identity pool credentials are valid for testing SDK calls — they use the AWSim account.

Password policy enforcement

Every password-mutating operation (SignUp, AdminCreateUser, AdminSetUserPassword, ChangePassword, ConfirmForgotPassword) validates against the user pool's Policies.PasswordPolicy. Each rule (minimum length, lowercase, uppercase, numeric, symbol) raises InvalidPasswordException with a rule-specific message matching real Cognito.

Account lockout

Five consecutive failed InitiateAuth / AdminInitiateAuth attempts on the same user lock the account for 15 minutes. Subsequent attempts return NotAuthorizedException with "Password attempts exceeded" even on the right password. A successful login or any administrative password reset clears the counter. (Real Cognito gates this behind Advanced Security; we ship it always-on for local testing.)

Compromised-credentials BLOCK

SetRiskConfiguration with a CompromisedCredentialsRiskConfiguration whose Actions.EventAction is BLOCK (and EventFilter covers SIGN_IN) is honored on every sign-in. Passwords on a built-in compromised list (password, 12345678, qwerty, etc.) are rejected with NotAuthorizedException even when otherwise correct. Real Cognito uses a much larger AWS-curated dataset.

Auth event history

Every sign-in is recorded as an AuthEvent with EventResponse, RiskDecision, RiskLevel, and CompromisedCredentialsDetected flags. AdminListUserAuthEvents returns the most recent 100 events newest-first. (Admin)UpdateAuthEventFeedback mutates the matching event's FeedbackValue so SDKs can verify their feedback loop end-to-end.

Cognito ​

User Pools (cognito-idp) ​

Quick Start (User Pools) ​

User Pool Management ​

User Pool Clients ​

User Management ​

Authentication ​

Groups ​

MFA ​

Resource Servers and Identity Providers ​

Tags ​

Domains ​

Identity Pools (cognito-identity) ​

Quick Start (Identity Pools) ​

Operations ​

OAuth / OIDC ​

Admin Console UI ​

SDK Example (User Pools) ​

Behavior Notes ​

Password policy enforcement ​

Account lockout ​

Compromised-credentials BLOCK ​

Auth event history ​